- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990)

Upstream changelog: http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt - New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161) - Using scripts form RHEL-7 (RHBZ#1240366) - New compat sub package for nftables compatibility - Install iptables-apply (RHBZ#912047) - Fixed module uninstall (RHBZ#1324101) - Incorporated changes by Petr Pisar - Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
2016-04-13 19:00:02 +02:00 · 2016-04-13 19:00:02 +02:00 · 6791134663
parent cea668f0bf
commit 6791134663
6 changed files with 198 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@ -21,3 +21,4 @@ iptables-1.4.9.tar.bz2
 /iptables-1.4.18.tar.bz2
 /iptables-1.4.19.1.tar.bz2
 /iptables-1.4.21.tar.bz2
+/iptables-1.6.0.tar.bz2
--- a/6
+++ b/6
@ -46,3 +46,9 @@ IPTABLES_STATUS_VERBOSE="no"
 #   Value: yes|no,  default: yes
 # Print a counter/number for every rule in the status output.
 IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
--- a/iptables.init
+++ b/iptables.init
@ -23,12 +23,18 @@

 IPTABLES=iptables
 IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
 IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
 IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
-RUN_SUBSYS=/run/lock/subsys
-RUN_SUBSYS_IPTABLES=${RUN_SUBSYS}/${IPTABLES}
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+# only usable for root
+if [ $EUID != 0 ]; then
+    echo -n $"${IPTABLES}: Only usable by root."; warning; echo
+    exit 4
+fi

 if [ ! -x /sbin/$IPTABLES ]; then
    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
@ -36,7 +42,7 @@ if [ ! -x /sbin/$IPTABLES ]; then
 fi

 # Old or new modutils
-/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
    && NEW_MODUTILS=1 \
    || NEW_MODUTILS=0

@ -49,6 +55,7 @@ IPTABLES_SAVE_COUNTER="no"
 IPTABLES_STATUS_NUMERIC="yes"
 IPTABLES_STATUS_VERBOSE="no"
 IPTABLES_STATUS_LINENUMBERS="yes"
+IPTABLES_SYSCTL_LOAD_LIST=""

 # Load firewall configuration.
 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
@ -174,9 +181,27 @@ set_policy() {
    return $ret
 }

+load_sysctl() {
+    # load matched sysctl values
+    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
+        echo -n $"Loading sysctl settings: "
+        ret=0
+        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
+            fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
+            let ret+=$?;
+        done
+        [ $ret -eq 0 ] && success || failure
+        echo
+    fi
+    return $ret
+}
+
 start() {
    # Do not start if there is no config file.
-    [ ! -f "$IPTABLES_DATA" ] && return 6
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi

    # check if ipv6 module load is deactivated
    if [ "${_IPV}" = "ipv6" ] \
@ -194,7 +219,18 @@ start() {
    if [ $? -eq 0 ]; then
 	success; echo
    else
-	failure; echo; return 1
+	failure; echo;
+	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
+	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
+	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    if [ $? -eq 0 ]; then
+		success; echo
+	    else
+		failure; echo; return 1
+	    fi
+	else
+	    return 1
+	fi
    fi
    
    # Load additional modules (helpers)
@ -209,9 +245,11 @@ start() {
 	[ $ret -eq 0 ] && success || failure
 	echo
    fi
+    
+    # Load sysctl settings
+    load_sysctl

-    mkdir -p $RUN_SUBSYS
-    touch $RUN_SUBSYS_IPTABLES
+    touch $VAR_SUBSYS_IPTABLES
    return $ret
 }

@ -223,10 +261,9 @@ stop() {
    # on systems where the default policy is DROP and root device is
    # network-based (i.e.: iSCSI, NFS)
    set_policy ACCEPT
-    
    # And then, flush the rules and delete chains
    flush_n_delete
-
+    
    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
 	echo -n $"${IPTABLES}: Unloading modules: "
 	ret=0
@ -243,16 +280,22 @@ stop() {
 	echo
    fi
    
-    rm -f $RUN_SUBSYS_IPTABLES
+    rm -f $VAR_SUBSYS_IPTABLES
    return $ret
 }

 save() {
    # Check if iptable module is loaded
-    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 0
+    fi

    # Check if firewall is configured (has tables)
-    [ -z "$NF_TABLES" ] && return 6
+    if [ -z "$NF_TABLES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 6
+    fi

    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "

@ -260,7 +303,7 @@ save() {
    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    ret=0
-    TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \
+    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
 	&& chmod 600 "$TMP_FILE" \
 	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
 	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
@ -269,22 +312,24 @@ save() {
 	if [ -e $IPTABLES_DATA ]; then
 	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
 		&& chmod 600 $IPTABLES_DATA.save \
+		&& restorecon $IPTABLES_DATA.save \
 		|| ret=1
 	fi
 	if [ $ret -eq 0 ]; then
-	    cp -f $TMP_FILE $IPTABLES_DATA \
+	    mv -f $TMP_FILE $IPTABLES_DATA \
 		&& chmod 600 $IPTABLES_DATA \
+		&& restorecon $IPTABLES_DATA \
 	        || ret=1
 	fi
    fi
+    rm -f $TMP_FILE
    [ $ret -eq 0 ] && success || failure
    echo
-    rm -f $TMP_FILE
    return $ret
 }

 status() {
-    if [ ! -f "$RUN_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
 	echo $"${IPTABLES}: Firewall is not running."
 	return 3
    fi
@ -318,6 +363,51 @@ status() {
    return 0
 }

+reload() {
+    # Do not reload if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo; echo "Firewall rules are not changed."; return 1
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    return $ret
+}
+
 restart() {
    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
    stop
@ -327,7 +417,7 @@ restart() {

 case "$1" in
    start)
-	[ -f "$RUN_SUBSYS_IPTABLES" ] && exit 0
+	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
 	start
 	RETVAL=$?
 	;;
@ -340,8 +430,12 @@ case "$1" in
 	restart
 	RETVAL=$?
 	;;
+    reload)
+	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+	RETVAL=$?
+	;;      
    condrestart|try-restart)
-	[ ! -e "$RUN_SUBSYS_IPTABLES" ] && exit 0
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
 	restart
 	RETVAL=$?
 	;;
@ -350,7 +444,6 @@ case "$1" in
 	RETVAL=$?
 	;;
    panic)
-	flush_n_delete
 	set_policy DROP
 	RETVAL=$?
        ;;
@ -359,7 +452,7 @@ case "$1" in
 	RETVAL=$?
 	;;
    *)
-	echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
+	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
 	RETVAL=2
 	;;
 esac
--- a/iptables.service
+++ b/iptables.service
@ -1,6 +1,7 @@
 [Unit]
 Description=IPv4 firewall with iptables
-ConditionPathExists=/etc/sysconfig/iptables
+After=syslog.target
+AssertPathExists=/etc/sysconfig/iptables

 [Service]
 Type=oneshot
--- a/iptables.spec
+++ b/iptables.spec
@ -6,16 +6,19 @@

 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-Version: 1.4.21
-Release: 16%{?dist}
+Version: 1.6.0
+Release: 1%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 Source3: iptables.service
 Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
+Patch1: iptables-1.6.0-iptables-apply_mktemp.patch
 URL: http://www.netfilter.org/
-License: GPLv2
+# pf.os: ISC license
+# iptables-apply: Artistic Licence 2.0
+License: GPLv2/Artistic Licence 2.0/ISC
 # libnetfilter_conntrack is needed for xt_connlabel
 BuildRequires: pkgconfig(libnetfilter_conntrack)
 # libnfnetlink-devel is requires for nfnl_osf
@ -23,12 +26,36 @@ BuildRequires: pkgconfig(libnfnetlink)
 BuildRequires: libselinux-devel
 BuildRequires: kernel-headers
 BuildRequires: systemd
+BuildRequires: pkgconfig(libnftnl)
+BuildRequires: pkgconfig(libmnl) >= 1.0
+# libmnl, libnftnl, bison, flex for nftables
+BuildRequires: bison
+BuildRequires: flex
+BuildRequires: pkgconfig(libmnl) >= 1.0
+BuildRequires: pkgconfig(libnftnl) >= 1.0.5
+# libpcap-devel for nfbpf_compile
+BuildRequires: libpcap-devel
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}

 %description
 The iptables utility controls the network packet filtering code in the
 Linux kernel. If you need to set up firewalls and/or IP masquerading,
 you should install this package.

+%package libs
+Summary: iptables libraries
+Group: System Environment/Base
+
+%description libs
+iptables libraries.
+
+Please remember that libip*tc libraries do neither have a stable API nor a real so version.
+
+For more information about this, please have a look at
+
+  http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
+
+
 %package devel
 Summary: Development package for iptables
 Group: System Environment/Base
@ -38,7 +65,7 @@ Requires: pkgconfig
 %description devel
 iptables development headers and libraries.

-The iptc interface is upstream marked as not public. The interface is not 
+The iptc libraries are marked as not public by upstream. The interface is not
 stable and may change with every new version. It is therefore unsupported.

 %package services
@ -71,13 +98,21 @@ Utils for iptables.

 Currently only provides nfnl_osf with the pf.os database.

+%package compat
+Summary: nftables compatibility for iptables, arptables and ebtables
+Group: System Environment/Base
+Requires: %{name} = %{version}-%{release}
+
+%description compat
+nftables compatibility for iptables, arptables and ebtables.

 %prep
 %setup -q
+%patch1 -p1 -b .iptables-apply_mktemp

 %build
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
-%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
+%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

 # do not use rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
@ -139,6 +174,10 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
 sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
 install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic

+# install iptables-apply with man page
+install -m 755 iptables/iptables-apply %{buildroot}%{_sbindir}/
+install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
+
 %if 0%{?rhel}
 %pre
 for p in %{_sysconfdir}/alternatives/{iptables,ip6tables}.*; do
@ -170,17 +209,28 @@ done
 %doc INCOMPATIBILITIES
 %config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
 %config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
-%{_sbindir}/iptables*
-%{_sbindir}/ip6tables*
+%{_sysconfdir}/ethertypes
+%{_sbindir}/iptables
+%{_sbindir}/iptables-apply
+%{_sbindir}/iptables-restore
+%{_sbindir}/iptables-save
+%{_sbindir}/ip6tables
+%{_sbindir}/ip6tables-restore
+%{_sbindir}/ip6tables-save
 %{_sbindir}/xtables-multi
+%{_sbindir}/nfbpf_compile
 %{_bindir}/iptables-xml
 %{_mandir}/man1/iptables-xml*
 %{_mandir}/man8/iptables*
 %{_mandir}/man8/ip6tables*
 %dir %{_libdir}/xtables
+%{_libdir}/xtables/libarpt*
+%{_libdir}/xtables/libebt*
 %{_libdir}/xtables/libipt*
 %{_libdir}/xtables/libip6t*
 %{_libdir}/xtables/libxt*
+
+%files libs
 %{_libdir}/libip*tc.so.*
 %{_libdir}/libxtables.so.*

@ -219,8 +269,26 @@ done
 %dir %{_datadir}/xtables
 %{_datadir}/xtables/pf.os

+%files compat
+%{_sbindir}/iptables-compat*
+%{_sbindir}/ip6tables-compat*
+%{_sbindir}/ebtables-compat*
+%{_sbindir}/arptables-compat
+%{_sbindir}/xtables-compat-multi

 %changelog
+* Wed Apr 13 2016 Thomas Woerner <twoerner@redhat.com> - 1.6.0-1
+- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990)
+  Upstream changelog:
+  http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
+- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
+- Using scripts form RHEL-7 (RHBZ#1240366)
+- New compat sub package for nftables compatibility
+- Install iptables-apply (RHBZ#912047)
+- Fixed module uninstall (RHBZ#1324101)
+- Incorporated changes by Petr Pisar
+- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
+
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.21-16
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-536d048c8e8eeebcd9757d0863ebb0c0  iptables-1.4.21.tar.bz2
+27ba3451cb622467fc9267a176f19a31  iptables-1.6.0.tar.bz2